High resource usage when verifying a signature
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Jul 19 01:42:34 CEST 2015
On Sat 2015-07-18 15:57:09 +0200, Johannes Zarl-Zierl wrote:
> I've noticed that sometimes gpg2 will take around 1-2 minutes on my desktop PC
> attempting to verify an email signature.
what version of gpg2 are you using?
> At first, I thought that maybe the increasing prevalence of really big keys
> would increase the computational complexity, or that the keyserver
> communication is taking so long, but this does not seem the case.
> I'm pretty sure this happens on different kinds of keys, but today I noticed
> it on a 1024 bit DSA key. Looking into top revealed that my email program had
> spawned a gpg2 process that was using 100% of a single CPU core:
> gpg2 --enable-special-filenames --batch --no-sk-comments --status-fd 22 --no-
> tty --charset utf8 --enable-progress-filter --display :0 --verify -- -&23 -&25
> Opening the same email a second time happens more or less instantaneously (as
> far as I know, kmail does not cache the verification).
> Is this behaviour to be expected? Is this some computation that happens only
> the first time a new key is encountered?
I suspect what's taking a long time is an update to the trustdb. one
workaround is to put no-auto-check-trustdb in ~/.gnupg/gpg.conf, and
then have a nightly cronjob that runs "gpg2 --check-trustdb".
More information about the Gnupg-users